allowedOutgoingLinksHostnames: claim vs router+edge

[hash-d]

When creating a link using a claim token (as opposed to a cert token), Skupper will first connect to the claim service, and then configure the link to the router (inter-router and possibly edge router).

The claim service and the two routers may be running on different hostnames, depending the Kubernetes distribution and other factors. If that is the case, and the policy is receiving full hostnames, then both hostnames must be listed on the policy.

• If the claim hostname is not listed, the link creation will fail immediately with Error: Failed to create link: outgoing link to claims-namespace.domain is not allowed
• However, if only the claim hostname is listed, the link creation will succeed, but the link will not come up (as the policy engine sees no authorization to connect to the router host)

Similarly, when removing policies, both hostnames need removed: if only the claims hostname is removed, new links will be disallowed, but the existing links will be unaffected.

This should not be an issue when the hostnames are actually regexes that accept any FQDN within a given domain.

The documentation currently does not mention this detail. Please consider whether it should be added to the documentation.

@fgiorgetti to comment.

[hash-d]

I have edited the issue title and description to reflect the information from https://github.com/skupperproject/skupper/issues/762. Adding only the inter-router host may not be enough for allowing the links.

[pwright]

@fgiorgetti Do we need to address this issue soon?